A cyberattack that shut much of Jaguar Land Rover (JLR) for five weeks did more than stall Britain’s largest automaker. It exposed how a determined, well-funded actor can stop modern production lines and send shock waves through suppliers, logistics networks, dealerships, and consumers.
JLR, owned by India’s Tata Motors, was expected to resume limited output at its engine plant in Wolverhampton. Industry estimates put losses at roughly £50 million a day, or about 1,000 vehicles not built daily. London moved to stabilize the company with a $1.5b loan guarantee, largely to cover payments to suppliers.
Jaguar paused production last year as part of a controversial plan to reposition itself as an ultra-luxury brand competing with Rolls-Royce and Bentley. Land Rover, by contrast, has enjoyed strong sales and is developing high-profile models, including an electric Range Rover and a compact “Baby Defender.”
This is a crisis an Israeli firm says it tried to head off. As reported by Bloomberg, cybersecurity startup Deep Specter warned JLR roughly ten weeks before the shutdown about indicators of a targeted campaign. Deep Specter was founded this year by Shaya Feedman, formerly head of cybersecurity at Porsche Digital, the technology arm of Porsche.
In an interview with Walla Cars, Feedman said his company’s tools flagged intent signals aimed at JLR, along with a rise in sensitive data linked to the company surfacing on the darknet.
“Our technology lets us identify the intent of attack groups to break into a specific company,” Feedman said. “We saw a correlation between the volume of sensitive information leaking from Jaguar Land Rover to the darknet, which strengthened our view that this was not a one-off campaign.”
European rules require companies to keep secure inboxes for such warnings, and white-hat researchers are expected to alert potential targets.
“We wrote to that inbox and asked how they wanted to receive the details. We have not received a response to this day. Even after the shutdown was reported, we reached out again,” Feedman said, adding that other firms typically replied “within ten minutes.” JLR declined Bloomberg’s request to explain why the warnings were not acted on.
Feedman said the incident did not appear to be credit-card theft or classic ransomware.
“Here you had a well-funded entity behind the attack, able to invest in reconnaissance and preparation, moving from machine to machine without being detected. We are talking about an investment of millions, with preparations that likely took one to two years, not one to two months. This is not a routine criminal event.”
Lessons for factory floors and supply chains
How can hackers halt three automotive production lines? Feedman points to the fragility of just-in-time manufacturing. Trucks constantly feed components, from steel blanks to seats and dashboards, into synchronized lines that typically pause only for planned maintenance.
“Carmakers maintain a ‘red team’ to attack the production machinery, sometimes equipment from the 1980s, long before modern cyber defenses existed, in order to find vulnerabilities,” he said. “Manufacturers must be able to isolate the production-line network from the rest of the operation, or perfectly monitor every piece of data entering it, to ensure it is not malicious. This is the manufacturers’ weak spot, and they usually treat it with the utmost seriousness.”
Regulators and the widening threat
Feedman said European regulators set clear expectations, but some companies “tick the box” without addressing the underlying risk. As for whether others could face similar attacks: “It is happening right now. There is a wave of campaigns targeting the auto industry, with unclear origins. We have sent warnings about items we detected to BMW, and to other manufacturers as well. That is why automakers are shaking now. Until today, production lines were stopped by events like world wars. Now it is happening for the first time because of a cyberattack.”